Bypass MFA Bypass for Support
Story time
Employee has called up the helpdesk again with a missing MFA token. They need to re-register and get everything setup but this is an executive assistant and they are trying to present to the board. They need access NOW, so what do you do?
Tired
A quick fix is to pull the user out of the CA policies enforcing MFA, whether that means adding them to a special exception group or manually removing them from any enforced policies. This ensures they aren’t required to have their token(s) available, but it also means their account remains vulnerable for a period left up to administrators to remember.
What happens when the administrator forgets to put the enforcement back on? Best case, you catch it in an internal review and remediate. Next best case, it’s caught on an audit. Worst case? A threat actor takes advantage of the hole.
Wired
Same situation, but this time you create a temporary access pass for the end user. No policy changes, no exceptions. You give the user a code with appropriate restrictions and they can make it through their emergency without having to sacrifice posture. Then, at a later time, they can take the steps they need to register without the pressure of presentation.
Temporary Access Pass FTW
In Entra ID, administrators have the ability to issue a Temporary Access Pass as a method of strong authentication. It serves a variety of use cases, including onboarding new users without requiring security exceptions. Applied correctly with the right human processes can fight the nastiness of exception management that often accompanies strong authentication deployments.
Issuance
Issuing a temporary access is pretty straight forward and can be tested without impacting existing authentication methods on a user account.
Logon to https://portal.azure.com/ with an administrative account.
Navigate to the User’s view.
3. Search for and open a user’s account.
4. On the left hand navigation, click on Authentication Methods
5. In the top left corner of the Authentication Methods content pane, select Add authentication method
6. In the right side flyout, select Temporary Access Pass from the Chose Method dropdown.
7. Configure (see below)
8. Select Add on the bottom of the flyout.
9. Copy and share the Passcode from the final screen.
Configuration
Global Policy
There are several controls available for the policy.
| Control | Values | Recommendation |
|----------------------|-----------------------|----------------|
| Enabled | Enabled or Disabled | Enabled |
| Minimum Lifetime | 10 minutes to 30 days | 10 minutes |
| Maximum Lifetime | 10 minutes to 30 days | 1 day |
| Default Lifetime | 10 minutes to 30 days | 1 hour |
| Length | 8 to 48 | 8 characters |
| Require one-time use | Enabled or Disabled | Enabled |I do want to call out the requirement for one time use. This is a majorly critical component to keeping these secure as it prevents replay attacks. If you choose to allow administrators to use their discretion, appropriate training must be provided to define when it should be enabled on issuance.
To modify the policies to go Portal > Microsoft Entra Id > Security > Authentication Methods > Temporary Access Pass > Configure.
Per Issuance
At issuance of the token, the administrator may adjust two primary values:
|Control|Values|
| - -| - -|
|Lifetime|Global Policy Minimum to Global Policy Maximum|
|One-time use|toggle enabled or disabled based on Global Policy|Troubleshooting
Converged Policy Issue
This indicates that Temporary Passes have not been been enabled in your organization. Use these steps to enable them:
Authenticate to https://portal.azure.com/.
Open the Microsoft Entra ID view.
On the left hand navigation, select Security.
On the left hand navigation, select Authentication Methods.
Select Temporary Access Pass
Toggle the Enable switch.
Try issuing a pass again.